[whatwg] postMessage: event.source allows navigation of sender

Hallvord R M Steen hallvors at gmail.com
Thu Feb 7 01:24:00 PST 2008


Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender window/document. I think this is a bug in the API itself.

This seems to violate the API's promise of safe cross-domain
communication even with untrusted documents. One can imagine use cases
where a script in document A has a reference to window B and thus can
post messages, but window B does not have any to A and would not under
normal circumstances be able to change A's address.

I think this should be adressed by removing event.source entirely. It
would be weird to disallow setting location on a window object in this
context only. To allow posting replies we could instead define a
function on the event object. Say for example

document.addEventListener(  'message', function(e){
    if(e.data=='Hi'){
        e.reply('Hello');
    }
}, false  )


-- 
Hallvord R. M. Steen



More information about the whatwg mailing list